PayPal, accounts hacked with the “credential stuffing” method

PayPal, account violati con il metodo "credential stuffing" thumbnail

PayPal is sending notifications of data breach to many users: it appears that hackers have accessed their accounts via attacks of “credential stuffing“. This would have exposed the personal data of some users. But what is credential stuffing and how to defend yourself?

Amazon Music: 3 months free with no subscription required

PayPal, accounts hacked with the credential stuffing method

Credential stuffing is an attack in which hackers attempt to access an account by trying username and password pairs from data leaks from other websites. Leverage an automated approach, with bots that run lists of credentials (usually remedied on the dark web). A type of attack that leaves people who use the same password for multiple online accounts vulnerable, known as “password laundering.”

PayPal explains that the credential stuffing attack would have happened between 6 and 8 December 2022. The company at the time took it over and mitigated it. It also launched an internal investigation to find out how hackers gained access to the accounts. PayPal concluded its investigation on December 20, confirming that unauthorized third parties have accessed accounts with valid credentials. However, this would not be due to a hack into PayPal’s systems and there is no evidence as to where the passwords came from.

It seems that the affected accounts are 34,942. The hackers gained access to the account holders’ full names, birthdates, postal addresses, social security numbers, and tax identification numbers. Also they would have had the chance to see ctransaction history, linked credit or debit card details and PayPal billing information.

The company explains that it immediately limited access to intruders and notified affected accounts to change their access passwords. And in the notification, PayPal explains that the attack it would not lead to any unauthorized transitions.

How to avoid these problems?

The first thing to pay attention to is not to use the same password for multiple accounts. There are several password protection services such as Bitwarden or those offered by antivirus and browsers that generate random passwords and keep everything in encrypted virtual safes.

But the difference in this case, as PayPal itself points out, is the difference multifactor authentication. By activating two-factor authentication from “Settings”, in addition to your username and password, hackers would need to have access to your smartphone and your fingerprints or facial recognition. Turn it on to avoid such problems.